GDPR and Whois Changes

In the weeks since our last update, we have put in a lot of work behind-the-scenes on our GDPR implementation project. One aspect of this project, which we can now share more specific information about, concerns changes to the Whois system. We can also share some further details around how collecting and processing data will influence both our Reseller Agreements and your own end-user service agreements.

Whois Changes

The Whois directory is a powerful tool. You can look up who owns a domain to find their phone number, email, even their postal address. You can check when a domain was first registered, where it’s hosted, when it expires — that’s a lot of information available with just a few clicks. And because this system has been around for so long, and is such a fundamental aspect of the internet, we often assume that how it currently works is how it should work. But just because something has been a certain way for a long time doesn’t mean it must always be that way, and the GDPR’s looming deadline has prompted the re-examination of many processes and policies.

Instead of “how have we always done this?”, we’re asking questions such as “what’s the best way to do this?”, “what information is it truly necessary to include?” and “is there a legitimate legal basis for this process?”

What is changing?

The GDPR was drafted and brought into law without consideration for its effects on the domain name industry, leaving us to interpret how this regulation applies to our business. One particularly impactful section of the GDPR is Article 5, which lays out “principles relating to processing of personal data.” This is highly relevant to the Whois system, which is essentially just a repository of data, much of which is personally identifiable information about individuals. Warning: we are going to briefly venture into legal terminology here, but bear with us!

Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. For example, one such justification would be the performance of a contract; another is a situation where the data subject (the person to whom the data pertains) has given explicit consent for their data to be processed or collected.

The principle of data minimization requires that the data collected be relevant and limited to what is truly necessary to carry out the agreed-upon purpose for which the data is being collected. To add to this, the principles of purpose limitation and confidentiality limit the handling of personal data such that it cannot be processed or shared for any purpose other than that to which the individual initially agreed.

Simply put, under the GDPR:

We can only collect the minimum amount of data necessary to perform a specific action (e.g. register a domain)

Data can only be shared when there’s a legal basis to do so

Data can only be shared when necessary to fulfil the intended purpose of the data collection

So how will this impact Whois? Well, it is certainly difficult to argue that there is a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public Whois record. And we cannot claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public Whois system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.

All that being said, the GDPR recognizes that there are times when there is a real, justifiable need for a third party to obtain personal data, such as domain ownership information, and these “legitimate interests” are also provided for within the policy. Think about, for example, an intellectual property lawyer who wants to know the owner of a domain in order to submit a trademark dispute, or a law enforcement officer tracking down the people behind a phishing scheme; they should be able to find out who owns the domain name under investigation. We need some way for Whois information to be provided to the people and organizations who have a legitimate reason for requesting it — but one that does not involve publicly exposing this sensitive data by default.

A New Whois

This leads to one of the biggest domain industry changes prompted by the GDPR: a gated Whois system.

Not all parts of a domain’s Whois record constitute personal data. The registrar information, initial registration, last update and expiry dates, domain status, and nameservers will all remain publicly available as they are today.

The registrant information — name, organization, address, phone number, and email — is personal data that can no longer be published in the public Whois. Instead, we plan to provide authenticated access in a specific and limited manner, so that those with legitimate reason to request personal data can access the information they require while the privacy of individuals remains protected.

Here’s a snapshot of what these changes may look like:

Don’t worry — this basic user data will still be visible to resellers through the Reseller Control Panel. As we work out the legalities, which will include updates to our Exhibit A, we will keep you updated.

What information will still be shown in the Whois?

While the GDPR only applies to EU-local individuals, there are data privacy and protection regulations in many other places around the world, which render a public Whois highly problematic, if not unlawful. With this in mind, what we know for sure is that we will no longer be able to publish personal data for any EU-located individual in the public Whois. What remains an open question is whether we will continue to publish personal data for registrants based outside of the EU; we do not yet have a final answer on that, and we’ll work through this issue over the next few months.

Even if the public Whois does “go dark”, it is certain that there will still be a need for a gated Whois, where registrant data will be made available to parties with a legitimate interest. That may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others.

Now, there will always be the occasional, ostensibly savvy registrant who’s tempted to simply supply false information, so that their information is not saved anywhere, not even in the gated Whois. This is something we would never suggest. For legal reasons, ownership disputes being one example, it’s important that the domain contact information be accurate. Additionally, the registration agreement that all domain owners accept as part of registering a domain through an EPAG Reseller confirms that all information provided will need to be accurate, current, and reliable. These are ICANN imposed conditions, and registrants risk having their domain suspended or cancelled if these requirements are not met.

Reseller Changes Coming this Year

All this talk about new restrictions on data processing and collection, and the various process changes they entail, brings us to our final point: how will it all impact you, our resellers? In the lead-up to May 2018, we are doing as much as possible on our side to minimize the changes you have to make on your side. But despite all our best efforts, there will inevitably be things you need to do as a reseller.

This involves another (even briefer) journey into legal territory. According to our interpretation, EPAG is a data controller (we determine “the purposes and means of the processing of personal data”) for specific data elements: registrant first and last name, organization, email address, and country. This is all the information we require in order to enter into the registration agreement with the domain owner. For all other data elements (e.g. address, phone, and fax numbers, among others), we are simply a data processor. The difference here is that we are handling this data on behalf of either the registry or the reseller, without actually requiring it ourselves. For example, we do not need a registrant’s physical address to provide them with a domain name, but you may require it for billing purposes. Various data requirements will also exist at the registry level. As a data processor, we store and transmit this information on behalf of both registries and resellers, and in order for the exchange of all this information to occur, it must be covered in a GDPR-compliant agreement.

To that end, one thing that is definitely coming is an update to our Reseller Agreements — we need to add some information around what we require as a data controller, as well as the changes mentioned earlier, which will remove any concern around resellers accessing clients’ personal data in the Control Panel.

As a reseller, you will want to work with your own legal team to review your customer agreements and work through any changes that may need to be in place before that May 25th deadline. We will also have some recommended language for resellers to include in end-user service agreements, so stay tuned.

What’s next?

Next month’s GDPR update post will focus on how we plan to request consent from individuals for the use of their personal data. Until then, we will continue working hard on our implementation. As a reseller, you can use this time to seek your own legal advice, and think about what information you are collecting from customers — how does it align with the GDPR’s principles of data minimization, purpose limitation, and confidentiality?

You can wrap your head around the basics, and find helpful context on our GDPR page. Our previous blog post also highlights some fantastic resources that outline emerging GDPR best practices. And finally, we encourage you to sign up for our newsletter so you don’t miss a thing!